Bug 146890 - SELinux policy prevent new list creation from web interface
SELinux policy prevent new list creation from web interface
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: mailman (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
:
: 151550 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-02 10:55 EST by John Dennis
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-14 16:45:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
python stack trace (4.14 KB, text/html)
2005-02-02 11:01 EST, John Dennis
no flags Details
avc error message in /var/log/messages (451 bytes, text/plain)
2005-02-02 11:01 EST, John Dennis
no flags Details

  None (edit)
Description John Dennis 2005-02-02 10:55:06 EST
The SELinux security policy prevents a new list from being created
using the web interface (note: bin/newlist works). Attached are the
mailman stack trace and the avc error message in /var/log/messages.

Note: this was originally reported by Markus Darges
<darges@hrz.uni-siegen.de> on the mm-users mailing list.
Comment 1 John Dennis 2005-02-02 11:01:19 EST
Created attachment 110549 [details]
python stack trace
Comment 2 John Dennis 2005-02-02 11:01:56 EST
Created attachment 110550 [details]
avc error message in /var/log/messages
Comment 3 John Dennis 2005-02-02 11:04:50 EST
Note: short term work arounds include:

1) Disable SELinux

2) use command line interface to create lists (e.g. bin/newlist)
Comment 4 John Dennis 2005-02-03 09:33:17 EST
[From Markus in a private email]

But that was not the only problem between SELinux and mailman. With 
SELinux turned on I couldn't import a list of new members. I got the 
error that no usable temporary file could be found.
And I wasn't able to change the html sites:

Traceback (most recent call last):
  File "/usr/lib/mailman/scripts/driver", line 87, in run_main
    main()
  File "/usr/lib/mailman/Mailman/Cgi/edithtml.py", line 123, in main
    ChangeHTML(mlist, cgidata, template_name, doc)
  File "/usr/lib/mailman/Mailman/Cgi/edithtml.py", line 161, in ChangeHTML
    os.mkdir(langdir, 02775)
OSError: [Errno 13] Permission denied: '/var/lib/mailman/lists/ma1/de'


Comment 5 Alberto Barbati 2005-02-08 05:56:08 EST
About the problem with importing new members ("no usable temporary
directory"), I just filed bug #147466 with a workaround that does not
require SELinux to be disabled.

About this bug, the file policy.conf contains the following policy:

allow mailman_cgi_t mailman_archive_t:dir { read getattr lock search
ioctl add_name remove_name write };

in order to create a list the "create" permission is also necessary
and should be added. However, this does not seem to be enough, as
there is still a problem when Mailman tries to invoke /usr/sbin/postalias:

RuntimeError: command failed: /usr/sbin/postalias /etc/mailman/aliases
(status: 1, Operation not permitted)

audit2allow says that the problem might be fixed by adding the policy:

allow mailman_cgi_t self:unix_dgram_socket create;

however I didn't feel confident to add that, because of my ignorance
about possible repercussions.
Comment 6 John Dennis 2005-02-14 16:45:24 EST
fixed in latest security policy
Comment 7 Ben Levenson 2005-03-19 12:11:38 EST
*** Bug 151550 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.